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Abstract 


RFC 4279 and RFC 4785 describe pre-shared key cipher suites for 
Transport Layer Security (TLS). However, all those cipher suites use 
SHA-1 in their Message Authentication Code (MAC) algorithm. This 
document describes a set of pre-shared key cipher suites for TLS that 
uses stronger digest algorithms (i.e., SHA-256 or SHA-384) and 
another set that uses the Advanced Encryption Standard (AES) in 
Galois Counter Mode (GCM). 
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1. Introduction 


The benefits of pre-shared symmetric-key vs. public-—/private-key pair 
based authentication for the key exchange in TLS have been explained 
in the Introduction of [RFC4279]. This document leverages the 
already defined algorithms for the application of newer, generally 
regarded stronger, cryptographic primitives and building blocks. 


TLS 1.2 [RFC5246] adds support for authenticated encryption with 
additional data (AEAD) cipher modes [RFC5116]. This document 
describes the use of Advanced Encryption Standard [AES] in Galois 
Counter Mode [GCM] (AES-GCM) with various pre-shared key (PSK) 
authenticated key exchange mechanisms ([RFC4279] and [RFC4785]) in 
cipher suites for TLS. 


This document also specifies PSK cipher suites for TLS that replace 
SHA-1 by SHA-256 or SHA-384 [SHS]. RFC 4279 [RFC4279] and RFC 4785 
[RFC4785] describe PSK cipher suites for TLS. However, all of the 
RFC 4279 and the RFC 4785 cipher suites use HMAC-SHA1 as their MAC 
algorithm. Due to recent analytic work on SHA-1 [Wang05], the IETF 
is gradually moving away from SHA-1 and towards stronger hash 
algorithms. 


Related TLS cipher suites with key exchange algorithms that are 
authenticated using public/private key pairs have recently been 


specified: 


o RSA-, DSS-, and Diffie-Hellman-based cipher suites in [RFC5288], 
and 


Badra Standards Track [Page 2] 


RFC 5487 


TLS PSK New MAC and AES-GCM March 2009 


o ECC-based cipher suites with SHA-256/384 and AES-GCM in [RFC5289]. 


The reader is expected to become familiar with these two memos prior 
to studying this document. 


Applicability Statement 


The cipher suites defined in Section 3 can be negotiated, whatever 


the negotiated TLS version is. 


The cipher suites defined in Section 2 can be negotiated in TLS 
version 1.2 or higher. 


The applicability statement in [RFC4279] 
well. 


applies to this document as 


Conventions Used in This Document 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 
"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


PSK, DHE_PSK, and RSA_PSK Key Exchange Algorithms with AES-GCM 


The following six cipher suites use the new authenticated encryption 
modes defined in TLS 1.2 with AES in Galois Counter Mode [GCM]. The 
cipher suites with the DHE_PSK key exchange algorithm 
(TLS_DHE_PSK_WITH_AES_128 GCM_SHA256 and 

TLS_DHE_PSK_WITH_AES_ 256 _GCM_SHA348) provide Perfect Forward Secrecy 


These cipher suites use authenticated encryption with 
AEAD_AES_128_GCM and AEAD_A 
GCM is used as described in [RFC5288]. 


(A 


EAD) 


algorithms, 
described in RFC 5116. 


The PSK, DHE_PSK, 


in 


Badra 


[RFC4279]. 


Standards Track 


(PFS). 
CipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256 {0x00, 0xA8}; 
CipherSuite TLS_PSK_WITH_AES_256_GCM_SHA384 = {0x00,0xA9}; 
CipherSuite TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = {0x00,0xAA}; 
CipherSuite TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = {0x00,0xAB}; 
CipherSuite TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = {0x00,0xAC}; 
CipherSuite TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = {0x00,0xAD}; 


additional data 


ES_256_GCM, 


as 


and RSA_PSK key exchanges are performed as defined 
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The Pseudo-Random Function (PRF) algorithms SHALL be as follows: 


o For cipher suites ending with _SHA256, the PRF is the TLS PRF 
[RFC5246] with SHA-256 as the hash function. 


o For cipher suites ending with _SHA384, the PRF is the TLS PRF 
[RFC5246] with SHA-384 as the hash function. 


Implementations MUST send a TLS Alert ’bad_record_mac’ for all types 
of failures encountered in processing the AES-GCM algorithm. 


3. PSK, DHE_PSK, and RSA_PSK Key Exchange with SHA-256/384 


The first two cipher suites described in each of the following three 
sections use AES [AES] in Cipher Block Chaining (CBC) mode [MODES] 
for data confidentiality, whereas the other two cipher suites do not 
provide data confidentiality; all cipher suites provide integrity 
protection and authentication using HMAC-based MACs. 


3.1. PSK Key Exchange Algorithm with SHA-256/384 


CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xAE}; 
CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0x00,0xAF}; 
CipherSuite TLS_PSK_WITH_NULL_SHA256 = {0x00,0xBO}; 


CipherSuite TLS_PSK_WITH_NULL_SHA384 = {0x00,0xB1}; 
The above four cipher suites are the same as the corresponding cipher 
suites in RFC 4279 and RFC 4785 (with names ending in "_SHA" in place 
of "_SHA256" or "_SHA384"), except for the hash and PRF algorithms, 
as explained below. 

o For cipher suites with names ending in "_SHA256": 

* The MAC is HMAC [RFC2104] with SHA-256 as the hash function. 

* When negotiated in a version of TLS prior to 1.2, the PRF from 
that version is used; otherwise, the PRF is the TLS PRF 
[RFC5246] with SHA-256 as the hash function. 

o For cipher suites with names ending in "_SHA384": 
* The MAC is HMAC [RFC2104] with SHA-384 as the hash function. 
* When negotiated in a version of TLS prior to 1.2, the PRF from 


that version is used; otherwise, the PRF is the TLS PRF 
[RFC5246] with SHA-384 as the hash function. 
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3.2. DHE_PSK Key Exchange Algorithm with SHA-256/384 


CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xB2}; 
CipherSuite TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 {0x00,0xB3}; 
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA256 = {0x00,0xB4}; 
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 {0x00,0xB5}; 


The above four cipher suites are the same as the corresponding cipher 
suites in RFC 4279 and RFC 4785 (with names ending in "_SHA" in place 
of "_SHA256" or "_SHA384"), except for the hash and PRF algorithms, 
as explained in Section 3.1. 


3.3. RSA_PSK Key Exchange Algorithm with SHA-256/384 


CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xB6}; 
CipherSuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 {0x00,0xB7}; 
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA256 {0x00,0xB8}; 
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA384 {0x00,0xB9}; 


The above four cipher suites are the same as the corresponding cipher 
suites in RFC 4279 and RFC 4785 (with names ending in "_SHA" in place 
of "_SHA256" or "_SHA384"), except for the hash and PRF algorithms, 
as explained in Section 3.1. 


4. Security Considerations 


The security considerations in [RFC4279], [RFC4785], and [RFC5288] 
apply to this document as well. In particular, as authentication- 
only cipher suites (with no encryption) defined here do not support 
confidentiality, care should be taken not to send sensitive 
information (such as passwords) over connections protected with one 
of the cipher suites with NULL encryption defined in this document. 


5. IANA Considerations 


IANA has assigned the following values for the cipher suites defined 
in this document: 


CipherSuite TLS_PSK_WITH_AES_128 GCM_SHA256 = {0x00,0xA8}; 
CipherSuite TLS_PSK_WITH_AES_256_GCM_SHA384 = {0x00,0xA9}; 
CipherSuite TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = {0x00,0xAA}; 
CipherSuite TLS_DHE_PSK_WITH_AES 256 _GCM_SHA384 = {0x00,0xAB}; 
CipherSuite TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = {0x00,0xAC}; 
CipherSuite TLS_RSA_PSK_WITH_AES_ 256 _GCM_SHA384 = {0x00,0xAD}; 
CipherSuite TLS_PSK_WITH_AES_128 CBC_SHA256 = {0x00,0xAE}; 
CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0x00,0xAF}; 
CipherSuite TLS_PSK_WITH_NULL_SHA256 = {0x00,0xBO}; 
CipherSuite TLS_PSK_WITH_NULL_SHA384 = {0x00,0xB1}; 
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CipherSuite TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xB2}; 
CipherSuite TLS_DHE_PSK_WITH_AES 256 _CBC_SHA384 = {0x00,0xB3}; 
CipherSuite TLS DHE _PSK_WITH_NULL_SHA256 = {0x00,0xB4}; 
CipherSuite TLS_DHE_PSK_WITH_NULL_SHA384 = {0x00,0xB5}; 
CipherSuite TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xB6}; 
CipherSuite TLS_RSA_PSK_WITH_AES_ 256 _CBC_SHA384 = {0x00,0xB7}; 
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA256 = {0x00,0xB8}; 
CipherSuite TLS_RSA_PSK_WITH_NULL_SHA384 = {0x00,0xB9}; 
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